Missing SPF/DMARC Records
SPF and DMARC records are missing or misconfigured, allowing attackers to spoof emails from your domain.
What is Missing SPF/DMARC Records?
SPF (Sender Policy Framework) specifies which mail servers are allowed to send email from your domain. DMARC tells receiving mail servers what to do when SPF/DKIM checks fail. Without these, attackers can send spoofed emails (phishing, CEO fraud, invoice fraud) that appear to come from your domain, damaging your brand and potentially defrauding your customers.
Why It Matters to Your Business
Email spoofing enables phishing attacks that appear to come from your domain. Customers trust emails from your domain, making them more likely to click malicious links or wire money to attackers. The FBI reports $2.7B in losses from business email compromise (BEC) in 2022 alone.
How to Fix It
Add SPF, DMARC, and DKIM records to your DNS: SPF (TXT record on yourdomain.com): v=spf1 include:_spf.google.com include:amazonses.com ~all (replace with your actual mail providers) DMARC (TXT record on _dmarc.yourdomain.com): Start with monitoring: v=DMARC1; p=none; rua=mailto:[email protected] After 1-2 weeks of monitoring, switch to quarantine: v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100 Eventually enforce: v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100 DKIM (depends on your mail provider): Google Workspace: Setup DKIM in Admin Console AWS SES: Enable DKIM signing per domain Microsoft 365: Setup DKIM in Defender portal
Technical Classification
| OWASP Category | A05:2021 — Security Misconfiguration |
| CWE ID | CWE-290: Authentication Bypass by Spoofing |
| Detected By | dns, email_security scanner(s) |
| Severity Level | medium |
How 2MNY Security Can Help
Check if your website has this vulnerability
Our dns, email_security scanner checks for this issue automatically.
Scan My Website Free